CVE-2026-45845— net/sched: taprio: fix NULL pointer dereference in class dump
Affected Version Matrix 12
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 665338b2a7a0139337d1f85be65ed16e487f84c1< ec2501e361b08b50bcb1e7b3253fc861abbda28d | affected |
665338b2a7a0139337d1f85be65ed16e487f84c1< d02e2fbf60de46678e2ea698a6a904fd21e1cc31 | affected | ||
665338b2a7a0139337d1f85be65ed16e487f84c1< 48b26d48e76221dc90b02bf5428bab53643461ca | affected | ||
665338b2a7a0139337d1f85be65ed16e487f84c1< 8f1ff8866cb9f655e5faea6994eb902960be8e04 | affected | ||
665338b2a7a0139337d1f85be65ed16e487f84c1< 3d07ca5c0fae311226f737963984bd94bb159a87 | affected | ||
6.6 | affected | ||
< 6.6 | unaffected | ||
6.6.141≤ 6.6.* | unaffected | ||
| … +4 more rows | |||
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-45845
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
net/sched: taprio: fix NULL pointer dereference in class dump
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: net/sched: taprio: fix NULL pointer dereference in class dump When a TAPRIO child qdisc is deleted via RTM_DELQDISC, taprio_graft() is called with new == NULL and stores NULL into q->qdiscs[cl - 1]. Subsequent RTM_GETTCLASS dump operations walk all classes via taprio_walk() and call taprio_dump_class(), which calls taprio_leaf() returning the NULL pointer, then dereferences it to read child->handle, causing a kernel NULL pointer dereference. The bug is reachable with namespace-scoped CAP_NET_ADMIN on any kernel with CONFIG_NET_SCH_TAPRIO enabled. On systems with unprivileged user namespaces enabled, an unprivileged local user can trigger a kernel panic by creating a taprio qdisc inside a new network namespace, grafting an explicit child qdisc, deleting it, and requesting a class dump. The RTM_GETTCLASS dump itself requires no capability. Oops: general protection fault, probably for non-canonical address 0xdffffc0000000007: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f] RIP: 0010:taprio_dump_class (net/sched/sch_taprio.c:2478) Call Trace: <TASK> tc_fill_tclass (net/sched/sch_api.c:1966) qdisc_class_dump (net/sched/sch_api.c:2326) taprio_walk (net/sched/sch_taprio.c:2514) tc_dump_tclass_qdisc (net/sched/sch_api.c:2352) tc_dump_tclass_root (net/sched/sch_api.c:2370) tc_dump_tclass (net/sched/sch_api.c:2431) rtnl_dumpit (net/core/rtnetlink.c:6864) netlink_dump (net/netlink/af_netlink.c:2325) rtnetlink_rcv_msg (net/core/rtnetlink.c:6959) netlink_rcv_skb (net/netlink/af_netlink.c:2550) </TASK> Fix this by substituting &noop_qdisc when new is NULL in taprio_graft(), a common pattern used by other qdiscs (e.g., multiq_graft()) to ensure the q->qdiscs[] slots are never NULL. This makes control-plane dump paths safe without requiring individual NULL checks. Since the data-plane paths (taprio_enqueue and taprio_dequeue_from_txq) previously had explicit NULL guards that would drop/skip the packet cleanly, update those checks to test for &noop_qdisc instead. Without this, packets would reach taprio_enqueue_one() which increments the root qdisc's qlen and backlog before calling the child's enqueue; noop_qdisc drops the packet but those counters are never rolled back, permanently inflating the root qdisc's statistics. After this change *old can be a valid qdisc, NULL, or &noop_qdisc. Only call qdisc_put(*old) in the first case to avoid decreasing noop_qdisc's refcount, which was never increased.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于net/sched taprio模块在类转储时未对已删除的子qdisc进行空指针检查,可能导致空指针解引用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-45845
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-45845
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-45845 (4)
Same Patch Batch · Linux · 2026-05-27 · 276 CVEs total
| CVE-2026-45898 | 9.8 CRITICAL | RDMA/iwcm: Fix workqueue list corruption by removing work_list |
| CVE-2026-45988 | 9.8 CRITICAL | rxrpc: Fix re-decryption of RESPONSE packets |
| CVE-2026-45972 | 9.8 CRITICAL | smb: client: fix potential UAF and double free in smb2_open_file() |
| CVE-2026-46039 | 9.8 CRITICAL | rxgk: Fix potential integer overflow in length check |
| CVE-2026-46043 | 9.1 CRITICAL | RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv |
| CVE-2026-45945 | 8.8 HIGH | iommu/vt-d: Fix race condition during PASID entry replacement |
| CVE-2026-46056 | 8.8 HIGH | Bluetooth: hci_event: fix potential UAF in SSP passkey handlers |
| CVE-2026-46037 | 8.2 HIGH | ipv4: icmp: validate reply type before using icmp_pointers |
| CVE-2026-45843 | 8.2 HIGH | slip: bound decode() reads against the compressed packet length |
| CVE-2026-46099 | 8.1 HIGH | net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels |
| CVE-2026-46010 | 8.1 HIGH | rxrpc: Fix error handling in rxgk_extract_token() |
| CVE-2026-46076 | 7.9 HIGH | KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1 |
| CVE-2026-46015 | 7.8 HIGH | tcp: call sk_data_ready() after listener migration |
| CVE-2026-46053 | 7.8 HIGH | net: rds: fix MR cleanup on copy error |
| CVE-2026-46006 | 7.8 HIGH | drm/nouveau: fix u32 overflow in pushbuf reloc bounds check |
| CVE-2026-46011 | 7.8 HIGH | media: mtk-jpeg: fix use-after-free in release path due to uncancelled work |
| CVE-2026-45894 | 7.8 HIGH | iommu/vt-d: Clear Present bit before tearing down PASID entry |
| CVE-2026-46062 | 7.8 HIGH | ntfs3: fix integer overflow in run_unpack() volume boundary check |
| CVE-2026-46065 | 7.8 HIGH | fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info |
| CVE-2026-46036 | 7.8 HIGH | vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex |
Showing top 20 of 276 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-52907
media: rockchip: rkcif: fix off by one bugs - CVE-2026-52906
9p: fix access mode flags being ORed instead of replaced - CVE-2026-52905
mm/damon/core: disallow non-power of two min_region_sz on da - CVE-2026-52904
drm/nouveau: fix nvkm_device leak on aperture removal failur - CVE-2026-46332
greybus: gb-beagleplay: bound bootloader receive buffering
Same vendor: Linux
- CVE-2026-52907
media: rockchip: rkcif: fix off by one bugs - CVE-2026-52906
9p: fix access mode flags being ORed instead of replaced - CVE-2026-52905
mm/damon/core: disallow non-power of two min_region_sz on da - CVE-2026-52904
drm/nouveau: fix nvkm_device leak on aperture removal failur - CVE-2026-46332
greybus: gb-beagleplay: bound bootloader receive buffering
V. Comments for CVE-2026-45845
No comments yet